Thursday, December 4, 2014

Installing SIFT 3.0 on Apple Mac OS X Yosemite 10.10.1

Applications needed: SIFT Kit 3.0, Keka File Archiver, VirtualBox

Download the latest version of the SIFT Kit here. If you don't already have one, you'll need to create an account with SANS.

The SIFT Kit is compressed using 7z. Use an application like Keka to extract it on OS X. Once you install Keka, double-click on the SIFT file you downloaded. The file will begin extracting in the same directory.

Once it's complete, you will see a new folder in the same directory. The SIFT Workstation 3 folder contains the VMWare virtual appliance files that are used by the SIFT Kit. Move these to a permanent location.

You should end up with a new virtual machine, but we're not done yet. The SIFT Kit has a dynamically expanding disk for cases. We need to add it in the settings in VirtualBox so that it's recognized when we fire up the virtual machine. Click on Settings.

Select SIFT Workstation 3.0 Cases.vmdk file, which is located in the SIFT Workstation 3 folder.

You will now see two disks show up under Storage > SATA. The disk that will boot when you start the virtual machine is the Core Drive. This is where the Ubuntu OS is stored. SATA Port 1 is the dynamically expanding Cases disk.

Next, click Start or double-click the newly created virtual machine. This will boot the SIFT Kit.

After Ubuntu boots, you should see the SANS login screen. Log on and start forensicating.